Roles and Responsibilities:



            Ownership
            Earlier  in  this  chapter,  we  discussed  the  role  of  senior
            management  as  the  primary  and  ultimate  authority  for  the
            protection of the assets of the organization. We know that senior
            management  must  support  the  establishment  of  a  security
            program  through  the  designation  of  a  person  responsible  for
            security.  Without  someone  "owning"  security,  then  security
            simply does not happen. Security is not something that comes
            naturally  to  an  organization  -  it  must  be  purposely  and
            intentionally built into the business processes. Security is like an
            ingredient in a recipe - if an element is left when the cake is being
            prepared, then that component is simply not there. The finished
            product will be tasteless or incomplete, and there is no way to
            quickly correct the problem of a missing part once the cake is
            baked. Security is provided through a conscious effort and must
            be appropriately measured, controlled, and added into the batter
            in such a way as to become a part of (integrated into) every area
            of the business.



            The Security Manager
            The security manager is the person responsible for leading the
            security  program.  The security  manager must be  familiar with
            local  laws, standards, the culture of the organization, and best
            practices in the industry. Ideally, the security manager should be
            certified and have formal education in the field of Information
            Security. Information security is a broad field and few, if any,
            people  have  experience  or  familiarity  with  all  areas  of
            information  security.  Through  experience  and  training,  many